If you’re using Google’s “back up my data” feature for Android, the passwords to the Wi-Fi networks you access from your smartphone or tablet are available in plaintext to anyone with access to the data. And as a bug report submitted by an employee of the Electronic Frontier Foundation (EFF) on July 12 suggests, that leaves them wide open to harvesting by agencies like the NSA or the FBI.

“The ‘Back up my data’ option in Android is very convenient,” wrote Micah Lee, staff technologist at the EFF. “However, it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data.”

The Backup Manager app stores Android device settings in Google’s cloud, associated with the user account paired with the device; the Backup Manager interface is part of the core Android application API as well, so it can be used by other Android apps. Backup is turned on by default for Nexus devices and can push data such as MMS and SMS messages, browser bookmarks, call logs, and system settings—including Wi-Fi passwords—to Google’s cloud for retrieval in the event that a device is broken, lost, or stolen.

“Since backup and restore is such a useful feature, and since it's turned on by default,” wrote Lee, “it's likely that the vast majority of Android users are syncing this data with their Google accounts. Because Android is so popular, it's likely that Google has plaintext Wi-Fi passwords for the majority of password-protected Wi-Fi networks in the world.”

Most of those Wi-Fi networks have been mapped by Google as well. So it would be relatively trivial for an organization with access to backup data to match Wi-Fi network names and passwords with geolocation data. The result would be a partial map of where the targeted user has been as well as access to the networks his or her device has connected to in its travels.

Lee suggested that an easy fix to this privacy hole would be to encrypt the content of backups with a user’s Google credentials or a separate sync password. “I don't think it's rational to expect users to trust Google with their plaintext passwords when Google can be compelled to give this data to the US government when they request it,” he added.

Update: A Google spokesperson said in a conversation with Ars today that backup data is encrypted in transit from devices, and provided the following prepared statement from Google on the issue: “Our optional ‘Backup my data’ feature makes it easier to switch to a new Android device by using your Google Account and password to restore some of your previous settings. This helps you avoid the hassle of setting up a new device from scratch. At any point, you can disable this feature, which will cause data to be erased. This data is encrypted in transit, accessible only when the user has an authenticated connection to Google and stored at Google data centers, which have strong protections against digital and physical attacks.”

The spokesperson could not speak to how the data is encrypted in transit, or how the data was secured at rest.

It's also worth noting this is a case where your private information can be exposed by others. E.g. I often give guests the wifi password. Some of them use Android. I would expect them not to share the password. But I didn't know they were storing it unencrypted in the cloud.

I've given the gov't and the administration the benefit of the doubt so far on the NSA surveillance activities. It's dirty, but we were all screaming for a paramilitary security state after 9/11 like a bunch of reactionary idiots, so I think we have only ourselves to blame for the Patriot Act.

Having said that, if we find out that the gov't is snooping people's passwords from Android, I will turn in my Obama card.

It seems odd to blame the NSA for something they might do while ignoring Google's shortsightedness for storing plain text passwords in a cloud environment. Storing any confidential information in plain text is plain stupid.

Lee suggested that an easy fix to this privacy hole would be to encrypt the content of backups with a user’s Google credentials or a separate sync password.

Wait, encrypting with the user's google credentials makes no sense if you want to protect against the NSA, as you enter those credentials (aka send them to google) every time you log into google.

Encrypting with a separate sync password makes sense (that's what I do in Chrome), but it should be acknowledged that there will be a relatively high error rate when people lose or break their phone and have to get a new one, but then forget their sync password and lose everything.

If you’re using Google’s “back up my data” feature for Android, the passwords to the Wi-Fi networks you access from your smartphone or tablet are available in plaintext to anyone with access to the data.

As I read it, this is sounds a bit off. Micah says the passwords are backed up/restored in clear text from google from the phone. This does not mean the data is stored unencrypted on Google's servers, but probably is. Problem is, who exactly has access to this data? You only get this data when you back up or restore. Once you have a back up I doubt the phone is constantly sending this data all the time.

I'm sure a Wifi password isn't going to protect you from the NSA/Government Agency/Hacker/AnyoneWithABeefAgainstYou if they happen to park their truck across the street to snoop on you.

Awww let them print their WIFI password stories without criticizing. It's keeping an important issue in the news. Not like it is constantly in our faces at the mainstream level, but maybe if it stays on ARS and techdirt and popehat and all the others 24/7 for the next year, we might get 3 normal folks to say "We are being spied upon? This is outrageous!"

Having access to my WiFi password will give the NSA free Internet, provided they ever are in my neighborhood, and not much more.

It's okay with me.

I'm less worried about giving the NSA "free internet" and more worried what happens when some enterprising hacker cracks Google's servers and has a field day with the wealth of unencrypted information on there. Gaining access to encrypted WiFi networks on a mass scale would provide a treasure trove for such individuals and/or groups.

I would be more inclined to trust Google adequately securing the information if I didn't know they were storing passwords in plain text files. For all the crap we give MS for being a poorly managed company, Google seems to make an awful lot of half assed security decisions for such a massively profitable company. Especially one built entirely on information.

It seems odd to blame the NSA for something they might do while ignoring Google's shortsightedness for storing plain text passwords in a cloud environment. Storing any confidential information in plain text is plain stupid.

That's because its typical fear mongering projection onto whatever or whoever happens to be the big bad boogey man at the moment for the sake of trying to remain relevant in some way. If the present big bad boogey man happened to be google it would be "EFF technologist says "back up my data" exposes users' data to google." or similar.

I've given the gov't and the administration the benefit of the doubt so far on the NSA surveillance activities. It's dirty, but we were all screaming for a paramilitary security state after 9/11 like a bunch of reactionary idiots, so I think we have only ourselves to blame for the Patriot Act.

Having said that, if we find out that the gov't is snooping people's passwords from Android, I will turn in my Obama card.

NO! Actually many of us where NOT and STILL question the govt reports of the 911 activity and the whole invade the wrong muslim country baloney since 911. Get you facts straight and speak for yourself. You onion head brain-washed militia clowns need to step up to the line and help stop what you've unleashed, not play dumb and look the other way!

The Chinese hackers who breached Google's corporate servers 41 months ago gained access to a database containing classified information about suspected spies, agents, and terrorists under surveillance by the US government, according to a published report.http://arstechnica.com/security/2013/05 ... fied-data/

I am really believing that google, facebook and the rest of these social networks have been invaded by groups like the NSA from the day they went public! Just like the IRS does, they plant a soldier or desk within the company and become the major staff!

Sometimes I think that people who fear the Government have quite the wrong apprehension.

True. But Google can't throw people in jail if they find personal data they don't like.

How on earth would you know? Heck, most people don't even know the NSA is under the Pentagon.. and the Pentagon has a black fund in the billions... which cover alot more than the NSA, CIA, FBI, etc. They aren't there to whistle Dixie!

NO! Actually many of us where NOT and STILL question the govt reports of the 911 activity and the whole invade the wrong muslim country baloney since 911. Get you facts straight and speak for yourself. You onion head brain-washed militia clowns need to step up to the line and help stop what you've unleashed, not play dumb and look the other way!

Wait, the 'militia' clowns, who are anti-anything to do with the government generally, are responsible for the government choosing to increase its broad powers in an even broader way?

Um, did anyone actually click on that Backup Manager link? It has nothing to do with a Google service - it links to a shady Hong Kong based (and apparently, pretty awful with a 3.6 rating) third-party backup manager in the Play store.

Sometimes I think that people who fear the Government have quite the wrong apprehension.

It's not an either/or thing. Anything Google (or any other big company) stores on you, a misbehaving government can trivially access. The only way to avoid this is to not allow 3rd parties to construct databases about you to begin with.

I personally am not that concerned with Google, Facebook, or the NSA accessing my data. But anyone who thinks that Google or Facebook will "protect" their data if the government decides it wants access to it is delusional.

If Google really was all about the spirit of "openness" that it tries to market Android as being in favour of, then they really need to integrate a standard cloud API which would allow you to use a cloud service of your choice (such as your OWN server) for things such as this rather than restricting you to use of Google's proprietary cloud services.

Does anyone think that the NSA couldn't figure out your wifi password if they wanted it?

Doesn't make it right, but that doesn't seem to matter anymore

Yes, actually I think they would have a pretty hard time figuring out my 63-character, randomly generated wi-fi password. I also don't think they'd bother - if they're in wi-fi range of my house, they'd just go the extra step to break in and steal the data more directly, plant a keylogger, or whatever. I live in a small neighborhood where that black SUV would get more notice than someone who artfully picked my ancient locks and walked in the door while I was away.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.